Ads.txt Isn’t Enough – Keeping Ad Fraud at Bay

The industry needs to acknowledge the extent of this problem, and leverage technologies and methods adept in getting ahead of the savviest of fraudsters says Luke Taylor.

This review of ads.txt from TrafficGuard’s COO Luke Taylor originally appeared in Branding in Asia.

There was a collective shake of heads within adland earlier this month – following the revelation that fraudsters have been successfully circumventing the protections offered by the Interactive Advertising Bureau’s (IAB) ads.txt initiative – first reported by the Wall Street Journal. The report made clear that the widely-lauded ads.txt was not the panacea it was once hoped to be.

Launched in 2017 amidst rallying calls from industry leaders for greater industry-wide transparency, ads.txt sought to combat two parasitic problems blighting the industry: the unauthorized resale of ad inventories, and the spoofing of domains.

Ads.txt is a great first line of defense as an indication of the validity of a resellers inventory but efforts shouldn’t stop there. There are other methods that can and should be used to bolster defense from domain spoofing.

The idea was simple: publishers who sold ad inventory would upload a list of authorized resellers on their servers, including ad networks and programmatic exchanges. Ideally, this would allow programmatic platforms to carry out due diligence and qualify the inventory they purchase.

The initial reports that came out following this launch painted a picture of optimism – within 6 months of its launch, as much as 44% of the 10,000 most popular digital domains had adopted ads.txt, buoyed by Google’s backing of the initiative. And as of January this year, as much as 41% of the top websites on the Alexa ranking were onboard, up from 34% the year before. The supply-side uptake was swift, and the industry appeared to be making headway against fraud. Or so they thought.

In reality, fraudsters were able to bypass ads.txt protections by scraping content off legitimate publishers, which were then hosted on websites with fake URLs designed to look deceptively similar to the original. Connivingly, they added new ad slots, and channeled high volumes of fake traffic to these sites to boost impression numbers. With all bases covered, the authentic-looking inventory was subsequently sold through authorised resellers, allowing fraudsters to “steal” ads.txt’s credibility.

The shortcomings of ads.txt

While industry players unanimously agree that ads.txt is no more than a first layer of protection, few have pinpointed its major shortcomings.

So here’s our take: the vital flaw in ads.txt lies in its trust and reliance on intermediaries in the supply chain – to verify the authenticity of inventory by checking the publisher’s ads.txt. However, for these intermediaries, ads.txt serves to reduce their supply and erode their earning potential.

The industry needs to acknowledge the extent of this problem, and leverage technologies and methods adept in getting ahead of the savviest of fraudsters.

Essentially, while supply-side players get the ball rolling, ads.txt’s effectiveness relies on the integrity of intermediaries on the demand side – a party with a substantial conflict of interest. Despite seemingly everyone in the industry calling for transparency, the fact remains that there are parties in the ecosystem that stand to lose out if transparency prevails. We can’t rely on those parties to close the loop on the ads.txt or for any other proactive role in fraud prevention.

Grabbing the bull by its horns

The fight against ad fraud is often allegorized as a game of whack-a-mole. Ads.txt, and any mitigation rule or technique taken in isolation is just another ineffective strike of the hammer.

These are sophisticated fraud operations we are dealing with – ads.txt never left them shivering in their boots. Like any business that that has a supply issue, fraud operations adapt and find new ways to get a slice of a very, very lucrative pie – In 2018, TrafficGuard estimated that as much as US$18 billion could be lost to ad fraud in Asia-Pacific alone.

The same WSJ report shared that, if left to their own devices, fraud operations manipulating ads.txt could cost between $70 and $80 million of advertisers’ spending in a year.

The fight against ad fraud is often allegorized as a game of whack-a-mole. Ads.txt, and any mitigation rule or technique taken in isolation is just another ineffective strike of the hammer.

Ads.txt is a great first line of defense as an indication of the validity of a resellers inventory but efforts shouldn’t stop there. There are other methods that can and should be used to bolster defense from domain spoofing. For example, when traffic is coming from a spoofed domain, it is usually bot traffic. Analysis of characteristics and behavior of the traffic can uncover this regardless of whether ads.txt has been implemented and verified.

Of course, it’s easier said than done – digital advertising is a labyrinth of networks, aggregators and exchanges, in which infinite swathes of data are can be processed in any given time. To keep up with the volume and velocity of data, technologies leveraging sophisticated analytics and machine learning will have to be embraced.

These technologies make sense of data, remove noise and, by analyzing the data to note patterns and correlations, are able to determine what normal human behavior looks like versus what fraud looks like. In doing this, it’s possible to invalidate traffic not by what the fraud tactic is (as this changes), but by comparing it to what normal traffic is.

Complacency is ad fraud’s cash cow

The growth of ad fraud will be synchronous to the digital ad industry’s – and especially so in Asia-pacific. In 2018, three out of the top five countries which recorded the highest growth in internet users hailed from the region (Indonesia, India, China). Collectively, they accounted for 165 million new pairs of eyeballs on pages of the internet, for advertisers to reach out to – generating a ton of fresh ad money which will leave fraudsters licking their lips.

With the launch of ads.cert – an augmentation of ads.txt – on the horizon, the discovery of this fraud scheme is a timely reminder that one single rule or mechanism cannot stop fraud in its tracks. Ads.txt was created to solve one vulnerability in the system and in the process, it has unfortunately created a false sense of security that fraudsters were able to exploit. But fraudsters didn’t exploit ads.txt. They exploited complacency.

Ultimately, ad fraud is an $18 billion industry in APAC. Adversaries are well funded, innovative operations that evolve and adapt like any successful business – that means the fraud we are dealing with is growing in sophistication.

The industry needs to acknowledge the extent of this problem, and leverage technologies and methods adept in getting ahead of the savviest of fraudsters.